AD trusts and firewall

[jjeff1]

I have the following scenario.

Parent forest/domain with 2 child forest/domains. Basically 2 companies are being bought by a third company. The third company is the parent forest/domain.

The Parent forest/domain will be separated from the child forest/domains by firewalls. Each child will access resources in the parent and vice versa.

In this scenario do the child domain controllers need to be able to contact each other? Do I have to build a VPN between child sites, or is a VPN from each child to the parent sufficient?

 

[Jay_2]

As far as I can see Parent to child should be fine, you don't need a fully routed network for this to work.

 

[shabazkilla]

You will need a VPN connection between the networks in order for the trust to work.

 

[XOR != OR]

The bare minimum you'll need is a VPN between the parent and the children. If you want to access resources at the opposite child's domain, you'll need to make sure the children have routes to each other ( via the parent VPN or p2p vpns ).

 

[Epicness]

All DCs in the site must be able to talk to each other.

Otherwise it just matters that it's vertical. We have a setup much like you're describing (much much bigger though) and our DCs do not ping each other horizontally (site to site). But they can obviously ping up the chain to the root/forest DCs.